The Wall Street Journal has reported that sophisticated hackers may be attacking Apple Inc. iPhones by exploiting a previously unknown flaw in the smartphone’s email software.
ZecOps announced today that a few of its customers were targeted with two zero-day exploits for iOS last year. One of the vulnerabilities showed that it can be triggered remotely and another one requires an additional vulnerability to trigger it remotely.
Researchers said the vulnerabilities are widely exploited in the wild in targeted attacks by an advanced threat operator(s) to target executive management across multiple industries.
This type of vulnerability is disturbing because it involves no action by the user, as they may not realize their smartphone is infected after an attack. While this vulnerability has been fixed in the developer\’s current beta versions, it is essential to get the patch out soon for end users to secure their devices from this exploit. Depending on the risk and confidentiality of an employee\’s email, an organization will need to determine if they are to stop using the vulnerable application until the patch is released.
This disclosure highlights the fact that all apps and mobile platforms are vulnerable to hacks and intrusions. The silver lining in this case is Apple\’s apparent acknowledgement of the issue and quick action to address it now that the issue has come to light. Apple will always hold an advantage over Android in their centralized approach to software updates, although the rapid evolution of devices and operating systems (iOS and now iPadOS) have led to a unique form of fragmentation that makes this email flaw more challenging to address than it might have been five years ago. This should serve as yet another reminder to only install trusted apps, especially in a business setting.
These attacks on iOS devices have been exploited for over 2 years by nations states and professional hacking organizations and affect all versions of iOS since at least 2012. The attack affects the built-in iOS Mail app but not other popular emails apps such as Outlook or Gmail. You must assume that any attacker with enough ability or financial backing has access to sure-fire exploits that can take control of computers or devices running any operating system or application. These exploits are specially designed to go undetected by anti-virus, firewalls, or other front-line security controls. They only way to defend against such attackers is to have a culture of security with defense in-depth capabilities including close monitoring of security logs and anomalous network traffic.
These attacks on iOS devices have been exploited for more than two years by nation states and professional hacking organisations and affect all versions of iOS from as early as 2012. The attack affects the built-in iOS Mail app but not other popular emails apps such as Outlook or Gmail. You must assume that any attacker with enough ability or financial backing has access to sure-fire exploits that can take control of computers or devices running any operating system or application. These exploits are specially designed to go undetected by anti-virus, firewalls, and other front-line security controls. They only way to defend against such attacks is to have a culture of security with defence in-depth capabilities including close monitoring of security logs and anomalous network traffic.
As we have seen in the past, sophisticated attacks on high value – or high profile – targets aim to leverage exploit chains starting with a one-click or zero-click attack to increase their chances of success. Surveillance tooling using such exploits is available for sale and, in some cases, as a service by third parties. The rising prevalence of such attacks indicates that attackers are becoming increasingly aware that mobile devices are the most valuable targets for surveillance and spying. Not only do these devices offer access to user documents, communications, and cloud accounts, they can also act as a live surveillance tool by virtue of their sensors, such as the microphone, camera, and GPS device.
This incident demonstrates how even the most well-maintained, fully upgraded mobile operating systems can be susceptible to attacks and compromise. Third-party security solutions can detect and defend against the impact of device compromise, malicious apps, and phishing attacks against mobile devices.